PSD3 updates: Deep dive on fraud prevention, bank liability, and the regulatory impact
In this 30-minute interview, Eward Driehuis, VP of Fraud Engineering at ThreatFabric speaks with Frederik Mennes, Director of Strategy at OneSpan. Their technical conversation covers topics of interest to European and global fraud prevention leaders in financial services. Listen for an update on PSD3 and the PSR; impersonation scams; liability for banks and others; and what makes cybersecurity such an interesting profession. Recorded on 9 December 2025. The transcript has been lightly edited for clarity. Enjoy the interview.
Eward: I’m here in the heart of Europe, in Brussels, speaking to Frederik Mennes at OneSpan. He’s the Director of Strategy and has a very wide range of knowledge from deep technical cryptography to rules and regulations. With someone as knowledgeable as him, I’m sure that we can have an amazing conversation on PSD3. Welcome to a new episode of Fusion Fireside.
Frederik, you were trained as a cryptographer, so you have some technical skills, mathematical skills, and knowledge of the deeper underlying principles of the stuff we are putting out there in cybersecurity every day. How does it help you in your daily work to have that deep technical understanding of the underlying algorithms and principles?
Frederik: Very nice to meet you Eward. My background is actually in computer science engineering initially. My foundations are in computer science. During my computer science education, I took some elective courses about computer security, security software development, cryptography, and I liked it so much that I decided to spend an additional full year studying information security as it was called at that time in London. And as part of that I had quite a few elective courses also about cryptography and more advanced topics in cryptography, which I really liked very much.
Here at OneSpan in my current role as Director of Strategy, I’m not using cryptography that often anymore as a tool. But it’s definitely something very useful to understand how the market is evolving, how we need to adapt our products to the market and to the needs of our customers. So a technical background, in my view, is very important in order to be able to understand our business and to drive our business forward.
Eward: That makes sense because in the old days, it was all about key sizes – right? We went from 1024 to 2048 and so on, doubling the key sizes. And then came quantum…
Frederik: Yes, absolutely. Quantum computers are probably coming. I think we have to be a little bit prudent still when we talk about quantum technology and quantum computers in particular. They are here today but with very limited capabilities. You can do very simple calculations with them nowadays. But we are still far from quantum computers that are capable of actually breaking our existing cryptographic algorithms with the key sizes that you mentioned.
Eward: Yes, that makes sense. So the realm of the hypothetical – and the realm of, let’s say, the feasible and scalable technology – that’s really far apart still?
Frederik: When it comes to quantum, absolutely. We hear a lot in the news about the upcoming quantum computers but as of today I don’t think we can do anything useful with them – let alone that we could break the existing cryptographic algorithms with the traditional key sizes. That’s still a little bit early. Maybe if we do an interview again in 10 years, the situation will be different.
PSD3 & PSR updates
Eward: So another thing in 10 years that might be completely different is, of course, how society is dealing with all this technology. I was wondering, from your technical background, how did you end up being so knowledgeable on rules and regulations? Because that’s where you focus as well.
Frederik: Yes, indeed, because the subject today is unfortunately not about cryptography but about legislation. So, I’m not a lawyer. I don’t have a legal background. I just became interested in legislation – and especially legislation related to fraud detection and strong authentication of digital banking users – because legislation is so important for the business we are in.
The legislation is really defining minimum security requirements; the minimum requirements that all banks and therefore also the suppliers of cybersecurity technology to banks, must adhere to. So yes, I think I became interested in legislation because it’s really so important for our business. And also when we talk to customers, it really helps that you understand their background, their reasoning, and that is often based on the regulatory compliance – among many other things, of course.
Eward: Would it be true to say there are two ends of the spectrum… but they definitely meet in the middle, right? And sometimes if you are blind to one side of the spectrum it might evoke mistakes on the other end.
Frederik: Absolutely. I think that’s one of the nice things about the profession of information security and cybersecurity. It’s so broad. We can express it in bits and bytes, in cryptography, and implementations in software or hardware, but you can also talk about legislation at the very other end of this spectrum. For me, that actually makes it interesting as a profession.
Eward: I think one of the pivotal moments is upon us because with regards to payment security and consumer protection, in Europe a lot of changing – or let’s say evolving. But I guess that might also mean that for the world, things are changing because for everyone who wants to deal with or operate in Europe, any upcoming legislations are relevant as well. Just a few weeks ago, you mentioned that PSD3 has come to the final political negotiations. So is there anything that changed, with those final negotiations?
Frederik: Yes. So the process towards PSD3 and the Payments Services Regulation (or PSR, as well call it) started almost three years ago, back in June 2023. That’s when the European Commission made its first proposal. So now, almost three years later, about two weeks ago (this interview was recorded on December 9, 2025) the European Commission, the European Parliament, and the European Council, they reached a political agreement about the most important requirements for the Payment Services Regulation.
That doesn’t mean that the PSR text is finished. That’s not yet the case. But it means that now, the so-called ‘technical trilogue discussions’ between the Commission, the Council, and the Parliament continue and we expect the final text to become available in the beginning of next year. I’d say March of 2026 at the latest.
But some things have leaked, or have been announced, about the content of this political agreement from the end of November. One very important item that became public is the liability. That is key and that will be used in the PSR. The liability means who is responsible to pay when there is a fraud case in digital payments or in digital banking. In the UK for instance, the bank is always liable for this. They are liable for all types of so-called authorized push payment fraud. So, all kinds of social engineering scams to a cap of 85,000 British pounds.
It was interesting to see what would be ultimately decided for the European Union. And I have to be prudent here because not all the details have been published yet, but what has been announced is that banks will have the primary liability for a certain type of authorized push payment fraud, namely the so-called bank impersonation scams.
So if a fraudster impersonates an employee of a bank or impersonates the bank as an institution, and this leads to fraud, in that case the victim would not be held liable, but the bank would be held liable. Meaning that the bank would refund the victim.
Eward: So in the UK they make a differentiation between the sending bank and the receiving bank. Do they do that in PSD3 as well?
Frederik: No. That’s not an element in PSD3. It’s really the bank that is liable for bank impersonation scams.
Eward: So it’s really the bank where the money is moved from.
Frederik: Yes. But very importantly – and this is also a major difference with the United Kingdom – in Britain all types of APP scams fall under the liability of the bank. While in Europe, it will only be the bank impersonation scams. That’s really a very important difference.
Eward: Yes. Because let’s say, from experience, a tech impersonation scam and a bank impersonation scam are very similar. So if they impersonate Microsoft, they would not be liable.
Frederik: That’s right. I mean, there is a lot to discuss about this and why limit it to banks. Why limit it to impersonation scams. Why not include other scams like purchase scams, investment scams, romance scams, you name it. You can discuss about that for a very long time and that’s also a discussion that the Commission and the Parliament had amongst themselves.
Eward: It’s interesting because going back to how you understand technology and you understand the regulatory side of this, it’s difficult to speak the same language, right? I bet some anti-fraud experts are scratching their heads as to why certain types of fraud are being subject to liability and others aren’t. But also, they might for example say: ‘Well, if you’re a victim of a scam, just say the bank called even if it wasn’t so.’ So I guess it’s a slippery slope, if you will.
Frederik: Yes, it will definitely be a grey area. There will undoubtedly be discussions about does this fall under the definition of bank impersonation scams or not. I think, ultimately, banks wanted to avoid that they became liable for all types of scams in Europe. At the moment, under what we expect to be in PSD3, they take on liability for fraud that is somehow related to digital banking or digital payments. There will definitely be a grey zone.
Eward: And that makes sense as well. Just because you are part of a system doesn't mean you’re responsible for everything that happens within said system. So there are boundaries somewhere. And I guess the aim of the regulation is to find the boundaries in a way that is fair.
Frederik: Absolutely. I just wanted to add a very important second item about liability. It’s not only the banks that will ultimately carry the liability. Fraud very often originates outside of a digital banking application. It usually originates on a social media platform. I think we all know them. So what the European institutions have decided is: They’ve agreed that banks will be able to transfer the liability to another party, such as social media platforms, telecommunications providers… if the fraud started there.
If the fraud originated there. And I think that’s actually fair. If you look at statistics indicating where fraud originated, you see that more than 75% of APP fraud actually originated on social media platforms or via SMS messages.
I think it makes a lot of sense that European institutions have foreseen this possibility to transfer the liability. And this is a major difference with the UK. In the UK, this possibility does not exist actually.
Eward: Is there a resemblance with some of the other regulations? For example, the Australian regulation speaks a little bit more about tech liability than UK regulations. Do you see parallels there?
Frederik: Yes, absolutely. I think Australia is a very good example of a country that has already introduced legislation. It carries elements from both the United Kingdom – and Australia’s part of the Commonwealth – but it’s also similar to the European Union in the sense that it also allows banks to transfer liability to other parties, including, amongst others, social media platforms and telecommunications providers. So in that way, Australia is indeed very similar.
Eward: Interesting. Another interesting thing I’m thinking about in the UK is the limit of 85,000 pounds sterling. Is there such a limit defined in PSD3?
Frederik: No. There is no limit at the moment and I don’t think it will come either. So the full amount of the fraud experienced by the victim, let’s say, is the amount to be refunded by the bank first of all, and then perhaps later, let’s say, by the social media provider.
Eward: Are there other specifics that have been decided on, that might be interesting to discuss?
Frederik: I think the liability is probably the most important element. That was present in the press releases following the political agreement. But we can certainly discuss some of the preventive measures – measures to prevent fraud – that will most likely be present in the final text. Liability only comes into play when there has been a fraud case and PSD3 actually first of all wants to prevent the fraud. So we can certainly talk about that as well.
Eward: Exactly. So it’s supposed to be an incentive for PSPs to protect their customers against fraud.
Frederik: Absolutely. And the fact that banks, or payment service providers more generally, are held liable or will be held liable and will have financial consequences in terms of fraud – this will provide incentives to them to invest in fraud detection and fraud prevention technology and other counter-measures to prevent the fraud in the first place.
Eward: So I’m guessing they don’t mention specific technologies – or are they going into detail on those parts? What do they think, what does good look like?
Frederik: Yes, it’s very broad. I think one of the counter-measures isn’t technical, it’s about user education. It’s about awareness. And I think it’s fair that probably the strongest protection against fraud is better user awareness. Making sure people think twice – or even three times! – when they are involved in a very strange activity. When they receive a message from Brad Pitt asking them for money. Maybe they should think twice instead of just responding to that inquiry. There is a lot of focus on user education, awareness, but also on more technical controls.
Technical measures PSPs can implement
Eward: Does PSD3 actually speak about technical measures that PSPs can implement to protect their customers?
Frederik: Yes, indeed. That’s also a very important part of the PSD3 legislation. Besides liability and the importance of user education and awareness, PSD3 requires all payment service providers to provide something called verification of payee or confirmation of payee. In the Netherlands, this is already a very common practice and has been for many years. But in many other European countries, including Belgium, this didn’t exist until recently. All payment service providers under PSD3 will be required to implement verification of payee. So, checking whether the bank account number matches the name of the beneficiary when initiating the payment.
Besides that, transaction monitoring will need a refresher as well. Transaction monitoring was already present under PSD2, but PSD3 emphasizes the importance of including behavioral intelligence and device intelligence or environmental intelligence in the transaction monitoring systems of payment service providers. Behavioral intelligence and device intelligence are really key signals to detect and to prevent various impersonation scams. So these are some of the examples of technical measures that also need to be implemented.
How PSD3 has evolved: Context to better understand PSD2 PSD3 news
Eward: You’ve studied PSD3’s progress and how it has evolved. I think one of the interesting things is that the last iteration of the Payment Services Directive, so PSD2, I think it’s already been 12 or 13 years since it came out. I was an anti-fraud tech back then as well.
PSD2 very much focused on opening up banking to fintechs and creating a competitive environment for fintechs. Those were some of the big takeaways. PSD3 is more focused on protecting consumers. How do you see that evolution?
Frederik: It seems like we have another PSD every decade or so. […] But indeed, legislation is usually a response to things that happened earlier. Technological evolutions, fraud evolutions… PSD2 was basically about introducing open banking in a formal way into the European Union. It was also about protecting digital banking and digital payment systems against account takeover fraud, which was the big problem at the time. Account takeover fraud is stealing the credentials of the victim and logging into the victim’s account with these credentials. Strong customer authentication (SCA) was the answer to the problem of ATO fraud.
Now, in the 2020s, fraud has evolved. Also, under pressure of PSD2, I believe, fraud evolved. The main type of fraud that we now see in digital banking or digital payments is authorised push payment fraud or APP fraud. There are a lot of examples...
Eward: Scams…
Frederik: Yes. Impersonation scams, investment scams, etc.
And the right type of answer to these scams is not only strong customer authentication. You have to look at better fraud detection, fraud prevention. That’s also what we see now in the PSR. There are various counter-measures in there to help banks and other PSPs protect against this type of scam.
The global impact of PSD3
Eward: So we’re sitting here in Brussels. Not too far from here is the SWIFT headquarters in La Hulpe. We are about to have PSD3 to protect consumers and incentivize fraud prevention. How are we doing in Europe? Do you think that we’re on the right track?
Frederik: If we look globally, Europe pays a lot of attention to curbing fraud, especially if you compare it with North America. In Europe, we pay much more attention to curbing fraud especially at a regulatory level. When we compare Europe against Asia Pacific, for instance, I think we have a very similar situation. The financial regulators in Asia Pacific, I’d say Singapore, Hong Kong, Malaysia, they also pay a lot of attention to limiting fraud via regulatory mechanisms. So Europe and Asia Pacific are very similar. Regulators have similar powers, I would say. North America has more the laissez-faire attitude. They leave it to the markets and it’s up to the banks to take care of the fraud in the way that they want to do it – I mean more or less, I’m exaggerating. There is some regulation. But there is definitely no regulation in North America related to preventing APP fraud at the moment.
Eward: PSD3 is going to impact anyone working in Europe or headquartered in Europe or even with branch offices in Europe. It’s very likely that anyone who wants to do business in Europe is going to be impacted in some way as well. But would it be fair to say that PSD3 will have an impact on the entire world?
Frederik: Yes, I mean the impact of PSD3 will certainly not be limited to the European Union or the European Economic Area. We saw the same with PSD2, it has a much broader effect also on financial institutions that are doing business in the EU, for instance Japanese banks that have a subsidiary within the European Union. They will also look at PSD3. They looked at PSD2 in the past.
But even companies or banks that do not have business in the European Union will just look at the legislation because many legislators outside Europe actually are inspired by what we do in Europe. For example, legislators in the Middle East, in Africa, and beyond, will also look at the PSD3 legislation and see how they can adjust their own legislation to be more in line with what we do.
Eward: So that also means that there’s a huge responsibility on the people building PSD3 because if they get it wrong, so to say, the rest of the world [is taking inspiration from that]. Is there anything anyone can do to influence the final stages of the writing of the regulation or is it all set in stone now?
Frederik: It’s not set in stone yet, so at the moment the technical trilogues or the technical discussions between the representatives of the European Commission, Council, and Parliament are taking place. And these people certainly still talk to other parties. They speak with representatives of banks, consumer organizations, and cybersecurity vendors, so these discussions continue and I think this is actually healthy. It’s important for the legislators to hear feedback from all the parties that will be influenced or impacted by their work.
Looking beyond PSD3 and the PSR
Eward: My last question is about: This is going to be a big thing. Especially for yourself and myself working in fraud prevention, mostly for European banks. PSD3 is going to be a huge thing. But after this regulation is finalized, what’s the next thing in your mind that regulators should focus on? Are there big gaping holes caused by the state of technology evolution that need to be addressed next?
Frederik: First of all, when the PSD3 text is finished, that’s only the first step in the PSD3 process. There will be, I think, about 15-20 additional texts developed by the European Banking Authority which specify the requirements of the, let’s say, first-level PSD3 text in more detail. So we’re certainly not done yet when the PSD3 text is final.
Having said that, let’s suppose PSD3 is all done. That all the additional texts have been written, then we will probably be OK for 5 years or something.
But undoubtedly in the 2030s we will have PSR2 or PSD4, whatever, and you can already see gaps today that will most likely need to be addressed. Just one example, we all see the advent of AI agents. Meaning, software applications that perform a lot of tasks on behalf of users like making payments, purchasing goods or services on an ecommerce website. AI agents are not mentioned in PSD3. This is something that will need to be tackled in upcoming legislation. How do you apply strong customer authentication to an AI agent, for example. Which fraud detection mechanisms can be used? When everything is automated by AI agents, you cannot look at the behavior of the user anymore to detect fraud. I think these are all questions that we can ask today and we will need to address them in legislation in the future.
Eward: It seems like for us, as with the legislators, that our work is never done.
Frederik: In this area, no. I think there is still a lot of work to do.
Eward: Thank you, Frederik, for this conversation on PSD3 and PSR.
View other episodes of Fusion Fireside.
On-demand webinar
Mastering the fraud kill chain: Mobile threat intelligence & real-time prevention
Fraud detection systems alone aren’t enough to protect against ATO, impersonation scams, and voice phishing attacks. Learn what to do about it.
Watch now
